Case Information
*1 Case 1:23-cv-01261-RLY-CSW Document 117 Filed 08/08/25 Page 1 of 31 PageID #:
1211 UNITED STATES DISTRICT COURT SOUTHERN DISTRICT OF INDIANA INDIANAPOLIS DIVISION RACHEL JARRETT, individually and on )
behalf of all others similarly situated, )
)
Plaintiff, )
) v. ) No. 1:23-cv-01261-RLY-CSW )
UPPERLINE HEALTH, INC., d/b/a )
UPPERLINE HEALTH INDIANA, )
)
Defendant. ) ENTRY ON DEFENDANT'S MOTION TO DISMISS
Plaintiff Rachel Jarrett filed a Second Amended Class Action Complaint ("SAC") against Upperline Health, Inc. d/b/a Upperline Health Indiana on behalf of a putative class of similarly situated persons. Plaintiff alleges that Upperline non-consensually and deceptively embedded third-party source code on its publicly available website. She alleges this third-party source code, which is not visible to users of the website, causes transmissions of her personally identifying, private health information to third parties, including Facebook. Plaintiff filed this suit in federal court under the Class Action Fairness Act, 28 U.S.C. § 1332(d). She asserts claims for negligence (Count I), negligence per se (Count II), invasion of privacy (Counts III & IV), implied breach of contract (Count V), unjust enrichment (Count VI), bailment (Count VII), violation of the Indiana Deceptive Consumer Sales Act (Count VIII), violation of the Electronic *2 Case 1:23-cv-01261-RLY-CSW Document 117 Filed 08/08/25 Page 2 of 31 PageID #:
1212 Communications Privacy Act (Counts IX-XI), and violation of the Computer Fraud and Abuse Act (Count XII).
Upperline now moves to dismiss Plaintiff's SAC under Federal Rule of Civil Procedure 12(b)(6) for failure to state a claim upon which relief can be granted. For the reasons discussed below, the court finds Upperline's motion should be GRANTED in part and DENIED in part .
I. Background
Upperline is a for-profit healthcare corporation organized in Delaware with a principal place of business in Nashville, Tennessee. (Filing No. 85, SAC ¶ 34). It operates over a dozen podiatry clinics in Indiana and maintains a public website at https://www.upperlinehealthindiana.com (the "Website"). [1] ( Id . ¶ 10). Upperline encouraged its patients to use the Website to access a patient portal, pay bills, complete new patient paperwork, view Upperline's medical services, and find doctors and clinic locations. ( Id . ¶ 11).
According to the Second Amended Complaint, Upperline embedded tracking devices on its Website, which collected and transmitted Plaintiff's protected health *3 Case 1:23-cv-01261-RLY-CSW Document 117 Filed 08/08/25 Page 3 of 31 PageID #:
1213 information ("PHI") [2] and/or her personally identifiable information ("PII") [3] (collectively "Private Information") to Facebook, Google, and other third parties, without her knowledge or consent. ( Id. ¶ 10). A tracker is "a snippet of code embedded into a website that tracks information about its visitors and their website interactions." ( Id. ¶ 13).
One of the trackers Upperline installed on its Website from roughly January 28, 2021, through April 3, 2023, was Facebook's Meta Pixel. ( Id. ¶¶ 14, 74). By default, the Meta Pixel tracks information about a web user's device and the URLs and domains they visit. ( Id. ¶ 14). It can also be configured to track a visitor's search terms, button clicks, and form submissions. ( Id. ). Further, the Meta Pixel can link a user's website interactions with an individual's unique and persistent Facebook ID, "allowing a user's health information to be linked with their Facebook profile." ( Id. ). Upperline utilized the Meta Pixel to market its services and bolster its profits. ( ¶ 20). Facebook, in turn, utilizes data from its tracking technology to build data profiles for the purpose of creating *4 Case 1:23-cv-01261-RLY-CSW Document 117 Filed 08/08/25 Page 4 of 31 PageID #:
1214 targeted online advertisements and enhanced marketing services, which it sells for a profit. ( Id. ).
Plaintiff resides in Kokomo, Indiana, and was a patient of Upperline from April to October 2022. ( Id. ¶ 111 ). During that time, she alleges she accessed the Website "somewhere between five and ten times" to schedule appointments and to access the patient portal to send messages to her doctor. ( Id . ¶¶ 111, 115). Plaintiff reasonably expected that her online communications with Upperline were confidential, solely between herself and Upperline, and, as such, would not be transmitted to third parties. ( Id. ¶ 116).
Plaintiff alleges that, through utilization of the Facebook Meta Pixel, Upperline unlawfully disclosed her Private Information, including her identity, location, patient status, health conditions and the treatment she sought, and the names of the medical providers she searched for and viewed, to Facebook without her knowledge or consent. ( Id. ¶¶ 118, 125, 127). Plaintiff claims that since using Upperline's Website, she has been "targeted by health-related online advertisements" on her Facebook page, including podiatry-related advertising, and "has even received a massive shipment of braces and casts, with no return address." ( Id. ¶¶ 120-21, 129(b)).
Upperline does not provide its patients with any privacy policies, nor discloses that their usage of its Website is not private or that the Website contains Meta Pixel or other tracking technologies to its patients. ( Id. ¶ 70). Plaintiff first discovered Upperline was using the Meta Pixel and other tracking technologies to gather and disclose her Private Information in October 2023. ( ¶ 124).
Case 1:23-cv-01261-RLY-CSW Document 117 Filed 08/08/25 Page 5 of 31 PageID #:
1215 All other allegations necessary to resolve this motion will be addressed in the Discussion Section.
II. Legal Standard
Pursuant to Federal Rule of Civil Procedure 12(b)(6), a party may move to dismiss
a pleading for failure to state a claim upon which relief can be granted. To survive a
motion to dismiss, the claim "must contain sufficient factual matter, accepted as true, to
state a claim to relief that is plausible on its face."
Bell Atl. v. Twombly
,
III. Discussion
The court previously dismissed Plaintiff's First Amended Complaint on grounds that Plaintiff failed to plausibly allege that her use of Upperline's public Website resulted in the disclosure of her Private Information to Facebook. ( See Filing No. 83, Entry on Def.'s Mot. to Dismiss). Upperline now moves to dismiss Plaintiff's SAC on grounds that *6 Case 1:23-cv-01261-RLY-CSW Document 117 Filed 08/08/25 Page 6 of 31 PageID #:
1216 it fails to cure the deficiencies the court outlined in its Entry dismissing Plaintiff's First Amended Complaint. Consequently, the court addresses that issue first.
A. Plaintiff's Private Information Upperline argues that Plaintiff has once again failed to plausibly allege that she communicated her Private Information on Upperline's public Website to access the patient portal, schedule appointments, and to find a doctor, which was then transmitted to Facebook.
Allegations that a plaintiff searched and viewed publicly available information on
a public website are insufficient to allege a disclosure of sensitive Private Information.
See Cousin v. Sharp Healthcare
,
1217
F. Supp. 3d 967, 973 (S.D. Cal. 2023); and then citing
In re Meta Pixel Healthcare Litig.
,
Plaintiff alleges that Upperline has configured the Meta Pixel such that once a user has navigated to Upperline's public Website, it tracks a user's clicks on its Website. (SAC ¶ 76). For example, if a user clicks on the "Schedule an Appointment" button on Upperline's public Website, this action is shared with Facebook through a "SubscribedButtonClick" event. ( Id . ¶ 80). This event would reveal to Facebook that the user is a new or existing patient. ( Id. ). Upperline also shares its patients' status to Facebook through its transmission of SubscribedButtonClick events when they use Upperline's Website to log onto the patient portal or to pay their bills. ( Id. ¶ 77). The Pixel transmits other information too, such as the location of the appointment, the name of the doctor that a user researched on the Website, and the services a user researched on the Website. ( ¶¶ 89–91).
Case 1:23-cv-01261-RLY-CSW Document 117 Filed 08/08/25 Page 8 of 31 PageID #:
1218
Here, Plaintiff alleges that she used the public Website to schedule appointments,
find a podiatrist, and to access the patient portal. ( ¶ 113). The court finds it plausible
that, at the very least, the information transmitted when she scheduled an appointment
with a physician is information related to patient status. Such information is PHI under
HIPAA because it is "individually identifiable" information that is "received by a health
care provider" and that "[r]elates to . . . the provision of health care to an individual." 45
C.F.R. § 160.103;
Cousin II
,
B. Count I, Negligence
Under Indiana law, common law negligence claims consist of three elements: "(1)
duty owed to the plaintiff by defendant; (2) breach of duty by allowing conduct to fall
below the applicable standard of care, and (3) compensable injury proximately caused by
defendant's breach of duty."
Bader v. Johnson
,
In Count I, Plaintiff alleges Upperline was negligent by failing to reasonably protect her Private Information from disclosure to unauthorized third parties. Upperline argues it had no duty to safeguard Plaintiff's Private Information on its public Website; Plaintiff has not alleged a cognizable injury; and Plaintiff's claim is barred by the economic loss doctrine. Plaintiff disagrees.
1. Duty "[B]usinesses have the common-law 'duty to exercise ordinary and reasonable care in the conduct of their operations . . . for the safety of others whose injuries should reasonably have been foreseen or anticipated.'" WEOC, Inc. v. Niebauer , 226 N.E.3d *9 Case 1:23-cv-01261-RLY-CSW Document 117 Filed 08/08/25 Page 9 of 31 PageID #:
1219
771, 778 (Ind. 2024) (quoting
Picadilly, Inc. v. Colvin
,
Plaintiff alleges Upperline had a duty to protect her Private Information from
disclosure and unauthorized transmittal to third parties. (SAC ¶ 200). To establish the
element of duty, Plaintiff relies on data breach cases where, for example, an employer
was subject to a cybersecurity incident in which hackers obtained the personal
information of its employees, including social security numbers, driver's licenses/state ID
numbers, and/or financial account information.
Johnson v. Nice Pak Prods., Inc.
, 736 F.
Supp. 3d 639, 644 (S.D. Ind. 2024);
McLaughlin v. Taylor Univ.
, No. 1:23-cv-00527-
HAB-SLC,
Upperline argues Plaintiff's case is different from Johnson and McLaughlin because in those cases, the victim employees were required to submit their personal information as a condition of employment, but here, Plaintiff was merely interacting with a public website. But Plaintiff alleges more than interacting with Upperline's Website. Plaintiff alleges that every time she clicked on certain buttons on the Website, such as the "Schedule an Appointment" button, the Meta Pixel installed on Upperline's public Website transmitted her Private Information to Facebook. (SAC ¶¶ 113, 118). Therefore, for purposes of this motion to dismiss, the court agrees with Plaintiff that Upperline had a duty to protect her Private Information in a reasonably secure manner.
2. Cognizable Injury
Upperline frames the next issue as whether Plaintiff has sufficiently alleged a
"cognizable" injury and not whether Plaintiff has sufficiently alleged a "compensable"
injury. The two are different. A litigant must have a cognizable injury to have Article III
standing to bring a claim.
Raines v. Byrd
,
In her Response, Plaintiff relies on Johnson and McLaughlin for the proposition that "the increased risk of harm [5] from the unauthorized disclosure of personal information and the costs to mitigate those risks are cognizable injuries under Indiana law." (Filing No. 98, Pl.'s Resp. at 12). But the "cognizable injuries" sustained by the plaintiffs in Johnson and McLaughlin —the increased risk of identity theft and fraud and the costs of monitoring credit card statements—are not the risks and injuries she claims. ( See SAC ¶ 129).
The harm Plaintiff alludes to in her Response may be her receipt of "targeted health-related advertisements on Facebook, reflecting her private medical information." (SAC ¶ 129(b); see also id. ¶ 207 (including as damages the "lost time and money incurred to mitigate and remediate the effects of use of their information, as to targeted advertisements that resulted from and were caused by [Upperline's] negligence"); Pl.'s Resp. at 4 ("As a direct result of [Upperline's] and the Third Parties' sale of her Private Information, Plaintiff receives targeted advertisements directly related to the treatment she sought from, and the Private Information she shared with, [Upperline].")). The court is not aware of an Indiana case holding targeted advertising is a compensable injury in this context. And, as pled, these advertisements were posted only on her Facebook feed. ( ¶ 129(b) ("Plaintiff now receives targeted health-related advertisements on Facebook, reflecting her private medical treatment information.")). In the absence of any further argument by Plaintiff on this topic, the court finds she has not plausibly alleged the damages element of her negligence claim. Therefore, Upperline's motion to dismiss her negligence claim is GRANTED . Having so found, the court need not discuss the economic loss doctrine.
C. Count II, Negligence Per Se
Under Indiana law, the "unexcused violation of a statute or ordinance constitutes
negligence per se if the provision (1) protects the class of persons in which the plaintiff is
included and (2) protects against the type of harm that has occurred as a result of the
violation."
Gresser v. Reliable Exterminators, Inc
.,
In Count II, Plaintiff brings a claim for negligence per se, alleging Upperline violated its duties under Section 5 of the Federal Trade Commission Act ("FTCA"), [6] "by failing to use reasonable measures to protect Plaintiffs' . . . PII and PHI and not complying with applicable industry standards." (SAC ¶ 217). Upperline argues that the FTCA does not provide Plaintiff with a private right of action and that, in any event, her negligence per se claim is duplicative of her common law negligence claim and fails for the same reasons set forth above.
Private right of action claims and negligence per se claims, though similar, are
distinct.
Stachowski v. Est. of Radman
,
However, a plaintiff bringing a negligence per se claim "must still prove causation and damages just as in any other negligence claim." Am. United Life Ins. v. Douglas , 808 N.E.2d 690, 704 (Ind. Ct. App. 2004). In support of her negligence per se claim, Plaintiff alleges the same types of injuries as her common law negligence claim. ( Compare SAC ¶ 207, with id. ¶ 220; see also id. ¶ 129). Consequently, the court finds Plaintiff fails to plausibly plead a compensable injury. Upperline's motion to dismiss Plaintiff's negligence per se claim is therefore GRANTED .
D. Count IV, Invasion of Privacy—Intrusion by Seclusion
"To establish a claim for invasion of privacy by intrusion, the plaintiff must
demonstrate that there was an intrusion upon . . . her physical solitude or seclusion, such
as by invading h[er] home or other quarters or by conducting an illegal search."
Curry v.
Whitaker
,
In Count III, Plaintiff alleges Upperline "intentionally intruded upon [her] . . .
privacy by secretly recording [her] usage of the Website, including the Private
Information and confidential communications included therein." (SAC ¶ 231).
Upperline argues this claim must be dismissed because: (1) there was no intentional
intrusion into Plaintiff's privacy; (2) any alleged "intrusion" was not highly offensive; and
See In re Sonic Corp. Customer Data Sec. Breach Litig.
, No. 1:17-md-2807,
(3) there was no physical intrusion into her privacy. The court's analysis begins and ends with Upperline's third argument.
Indiana courts narrowly construe the tort of invasion of privacy upon intrusion by
requiring the invasion be of the plaintiff's
physical
space.
Fox v. Fransican All. Inc.
, 204
N.E.3d 320, 327 (Ind. Ct. App. 2003) (citing
Curry v. Whitaker
,
Plaintiff maintains that Upperline used the Meta Pixel "to surreptitiously monitor and transmit what Plaintiff typed and read on her physical personal devices." (Pl.'s Resp. at 17). But an "intrusion" into one's personal devices—i.e., an iPhone, iPad, or laptop computer—is not an intrusion into one's private physical space. Therefore, the court finds this tort has no application to the facts she has alleged. Upperline's motion to dismiss Plaintiff's invasion of privacy by intrusion claim is GRANTED .
E. Count IV, Invasion of Privacy—Disclosure of Private Facts
The tort of public disclosure of private facts consists of four elements: "(1) the
information disclosed must be private in nature; (2) the disclosure must be made to the
public; (3) the disclosure must be one that would be highly offensive to a reasonable
person; and (4) the information disclosed is not of legitimate public concern."
Cmty.
Health Network, Inc. v. McKenzie
,
In Count IV, Plaintiff alleges Upperline publicly disclosed her Private Information by sharing her Private Information with Facebook. Upperline argues it made no disclosure to the public at large.
The publicity element "means that the information must be communicated in a way that either reaches or is sure to reach the public in general or a large enough number of persons such that the matter is sure to become public knowledge." Id. Plaintiff has not plausibly alleged that her Private Information is sure to reach the public. Indeed, Plaintiff alleges her Private Information was transmitted to Facebook via the Meta Pixel, which resulted in her receiving health-related targeted advertisements on her personal Facebook feed.
Plaintiff's reliance on Z.D. v. Community Health Network, Inc. , for the proposition that disclosure to one person can satisfy the publicity element, is misleading. 217 N.E.3d 527 (Ind. 2023). In Z.D. , a letter containing the plaintiff's private medical information was mailed to a teenage acquaintance of plaintiff's daughter, and that teenager then posted the letter to Facebook. Id. at 530. Under these unique circumstances, the Indiana Supreme Court concluded that "disclosure to one person may, based on the facts and circumstances in a particular case, satisfy the publicity element." at 536. This makes sense in cases like Z.D. , where the disclosure was posted on the teenager's public Facebook page, which could then be shared by the teenager's Facebook friends. That is not the case here. The only person seeing the targeted advertisements is Plaintiff. Upperline's motion to dismiss Plaintiff's public disclosure of private facts claim is GRANTED .
F. Count V, Implied Contract
To succeed on a breach of contract claim in Indiana, a plaintiff must allege facts
establishing: (1) a valid contract existed, (2) breach of that contract, and (3) damages
caused by the breach.
Trs. of Ind. Univ. v. Spiegel
,
Both express and implied in fact contracts require an offer, acceptance,
consideration, and a manifestation of mutual assent.
Id.
"They differ only in that an
express contract is evidenced by spoken and written words while an implied contract is
evidenced by the conduct of the parties."
Id
. (quoting
DiMizio v. Romo
, 756 N.E.2d
1018, 1024 (Ind. Ct. App. 2001))). Accordingly, "a contract implied in fact arises out of
acts and conduct of the parties, coupled with a meeting of the minds and a clear intent of
the parties in the agreement."
McCart v. Chief Exec. Officer in Charge, Indep. Fed.
Credit Union
,
Plaintiff alleges that when she paid money and provided her Private Information to Upperline as consideration in exchange for medical services, she and Upperline entered into an implied contract pursuant to which Upperline agreed to safeguard and not disclose her Private Information. (SAC ¶ 253). "Under the terms of the contract, including the implied duty of good faith and the standards and policies governing [Upperline], such as HIPAA, . . . and industry standards, [Upperline] was obligated to protect Plaintiff's Private Information." (Pl.'s Resp. at 19). Upperline breached this implicit agreement by disclosing her Private Information to unauthorized third parties, including Facebook. (SAC ¶ 258).
Upperline argues Plaintiff has failed to plausibly allege the existence of a contract, mutual assent, consideration, and damages. Plaintiff disagrees and maintains her implied contract claim is well pleaded.
The court finds Plaintiff's theory of implied contract fails for two reasons. First,
although Plaintiff's payment for medical services could be consideration for an agreement
related to website security data, HIPAA already requires Upperline to protect PHI without
receiving any consideration from Plaintiff or any other visitor on its Website. "[A]
promise to do what one 'is already bound to do by law or by contract' is insufficient
consideration."
Peters v. Kendall
,
Second, under Indiana law, compensable damages are an element of a breach of
contract claim.
Pisciotta
,
That leaves Plaintiff's claim for lost benefit of the bargain. "[A] party injured by a
breach of contract may recover the benefit of h[er] bargain but is limited in h[er] recovery
to the loss actually suffered."
Sanchez v. Benkie
,
G. Count VI, Unjust Enrichment
A claim for unjust enrichment, also referred to as quantum meruit or quasi-
contract, requires a plaintiff to establish that "(1) [s]he rendered a measurable benefit to
the defendant at the defendant's express or implied request; (2) [s]he expected payment
from the defendant; and (3) allowing the defendant to retain the benefit without
restitution would be unjust."
Niebert v. Perdomo
,
Upperline argues Plaintiff has not pleaded any facts to show she expected payment from Upperline in exchange for using its free-to-access public Website. In response, Plaintiff insists she conferred a measurable benefit to Upperline because she paid for Upperline's medical services, which allegedly included privacy and data security protection. (Pl.'s Resp. at 22; see also SAC ¶ 122 ("Plaintiff paid for [Upperline's] healthcare services, which included reasonable privacy and data security protections for [her] Private Information.")).
Under Indiana law, a plaintiff cannot recover under a theory of unjust enrichment
without showing that she conferred a benefit with the expectation of payment.
Bayh v.
Sonnenburg
,
H. Count VII, Bailment
In Indiana, "[a] bailment is an agreement, either express or implied, that one
person will entrust personal property to another for a specific purpose and that when the
purpose is accomplished the bailee will return the property or the bailor will reclaim it."
Stubbs v. Hook
,
In Count VII, Plaintiff alleges a claim for bailment under the theory that she transmitted her Private Information "in trust for a specific and sole purpose of receiving Upperline's medical treatment," but rather than use it "to facilitate [her] medical treatment," Upperline used it for "marketing and advertising purposes." (SAC ¶¶ 272, 274). Upperline contends Plaintiff's bailment theory cannot stand because she has not plausibly alleged she made a full transfer of her Private Information to Upperline such that Upperline had exclusive possession of it. Plaintiff disagrees, arguing her "data was exclusively possessed by Upperline on its server." (Pl.'s Resp. at 22–23).
Under Indiana law, "[f]or delivery to occur, there must be a
full transfer
of the
property, either actually or constructively, to the sole custody of the bailee such as to
exclude the owner/bailor and others."
Winters
,
I. Count VIII, Indiana Deceptive Consumer Sales Act Under the Indiana Deceptive Consumer Sales Act ("IDCSA"), a "supplier may not commit an unfair, abusive, or deceptive act, omission, or practice in connection with a consumer transaction." Ind. Code § 24-5-0.5-3(a). The Act recognizes two types of deceptive acts: "uncured" deceptive acts, and "incurable" deceptive acts. Ind. Code § 24-5-0.5-2(a)(7)–(8).
In Count VIII, Plaintiff alleges an incurable deceptive act, which is defined as
"a deceptive act done by a supplier as part of a scheme, artifice, or device with intent to
defraud or mislead." Ind. Code § 24-5-0.5-2(a)(8). Because an incurable deceptive act
sounds in fraud,
McKinney v. State
,
Here, Plaintiff alleges Upperline encouraged patients to use its Website and online platforms and "made express and implied promises to protect Plaintiff's . . . Private Information." (SAC ¶¶ 27, 284(a)). Nevertheless, Upperline "fail[ed] to disclose the material fact that it discloses patients' Private Information to Facebook and potentially other third parties, . . . without their knowledge, consent, or authorization." ( ¶ 284(a)).
Citing
McKinney
, Plaintiff argues she has pleaded fraud with sufficient
particularity because she "alleges facts to show 'a discrepancy between what was told to
the consumer and the underlying facts.'" (Pl.'s Resp. at 24 (quoting
McKinney
, 693
N.E.2d at 71)). The language she quotes from
McKinney
merely stands for the
proposition that a claim "sounds in fraud" under Indiana Trial Rule 9(B) (which is nearly
identical to Federal Rule of Civil Procedure 9(b)) "if based on a discrepancy between
what was told to the consumer and the underlying facts."
McKinney
,
Turning to Upperline's argument, the court agrees that Plaintiff has not pled her
IDCSA claim with sufficient particularity under Rule 9(b). She fails to allege who
(generally) at Upperline made the promise, when those promises were made, and how
those promises were communicated to her. She also fails to plead whether those
promises to keep her information private extended to her interactions on Upperline's
Website. This omission is important because, as Plaintiff concedes, "Upperline did not
provide a written Privacy Policy or Notice of Privacy Practices to users of its Website or
otherwise notify Website users of its privacy policies and practices." (SAC ¶ 71).
Finally, Plaintiff does not plead that she relied on Upperline's promises to her detriment.
Jones v. Bridgepoint Educ., Inc.
, No. 1:16-cv-338,
J. Count IX, Violation of the Electronic Communications Privacy Act, 18 U.S.C. § 2511(1)
The Electronic Communications Privacy Act ("ECPA") provides that any person who "intentionally intercepts, endeavors to intercept, or procures any other person to intercept or endeavor to intercept, any wire, oral, or electronic communication" may be subject to civil penalties, among other things. 18 U.S.C. § 2511(1)(a), (5)(a)(ii). The same is true for any person who intentionally discloses or uses, or endeavors to disclose or use, the contents of an intercepted communication. Id . § 2511(1)(c), (d). The statute provides an exception if the person intercepting or causing an interception of a communication "is a party to the communication." Id. § 2511(2)(d). This "party exception" does not apply, however, if the "communication is intercepted for the purpose of committing any criminal or tortious act in violation of the Constitution or laws of the United States or of any State." § 2511(2)(d).
In Count IX, Plaintiff asserts Upperline violated § 2511(1)(a), (c), and (d) of the ECPA through the tracking technology installed on its Website. Upperline moves to dismiss this claim because (1) it was a party to the alleged communications on its Website; (2) the crime-tort exception does not apply; and (3) Plaintiff fails to plausibly show that the "contents" of any communications were disclosed to a third party. Plaintiff does not dispute that Upperline may invoke the party exception. Accordingly, the court turns to whether the crime-tort exception applies.
Plaintiff contends the crime-tort exception applies because HIPAA makes it a crime for a healthcare provider to "disclose a person's personally identifiable health information to a third party without express written authorization." (SAC ¶ 4); see also 42 U.S.C. § 1320d-6(a)(3) (stating HIPAA makes it a crime to, as relevant here, "knowingly . . . disclose[] individually identifiable health information to another person . . . without authorization"). She also contends the disclosure included the "contents" of her communications—defined as "any information concerning the substance, purport, or meaning of that communication," 18 U.S.C. § 2510(8)—to a third party. For the reasons explained in Section III.A. of this opinion, the court agrees with Plaintiff and finds she has plausibly alleged that Upperline's tracking technology on its Website disclosed her Private Information—i.e., the "contents" of her communications with Upperline— without her written authorization to a third party like Facebook.
Nevertheless, Upperline argues that Plaintiff has not sufficiently alleged that Upperline intercepted any communication "for the purpose of committing any criminal or tortious act." § 2511(2)(d) (emphasis added). As pled, Upperline argues, its purpose was not to violate HIPAA; it was simply to boost business from targeted advertising.
The SAC's basis for conferring criminal purpose is not merely the fact of Upperline's wiretapping—its interception of Plaintiff's communications with Upperline's Website. It is also that Upperline's business arrangement with Facebook reveals its intent to profit commercially from exploiting Private Information, in violation of HIPAA. These allegations supply a plausible basis on which to infer criminal intent. Accordingly, Upperline's motion to dismiss Plaintiff's ECPA claim based on § 2511(1)(a), (c), (d) is DENIED .
K. Count X, Violation of the Electronic Communications Privacy Act, 18 U.S.C. § 2511(3)(a), and Count XI, Violation of the Stored Communications Act, 18 U.S.C. § 2702(a)(1) Section 2511(3)(a) of the ECPA prohibits the provider of an "electronic communication service" from divulging the content of communications transmitted on that service to third parties (i.e., anyone other than the addressee or the intended recipient). Section 2702(a)(1) of the Stored Communication Act ("SCA") [9] provides that, with certain exceptions, a person or entity providing either an electronic communication service or remote computing service to the public shall not "knowingly divulge to any person or entity the contents of a communication while in electronic storage by that service." § 2702(a)(1). For purposes of the ECPA and SCA, an "electronic communication service" is defined as "any service which provides to users thereof the ability to send or receive wire or electronic communications." Id . § 2510(15). In Counts X and XI, Plaintiff alleges Upperline divulged the contents of her communications on Upperline's Website to Facebook.
Upperline contends that it is a healthcare organization, not an electronic communication service provider, and thus cannot be liable under § 2511(3)(a) of the ECPA or the SCA. Plaintiff responds that Upperline fits within the definition because it "'provided'; i.e., made available, its website to the public." (Pl.'s Resp. at 29).
Upperline cannot plausibly be considered an electronic service provider within the
meaning of the ECPA or SCA. Communication service providers include "internet
service providers, electronic mail providers, telecommunications companies, and remote
computing services."
St. Johns Vein Ctr., Inc. v. StreamlineMD LLC
, 347 F. Supp. 3d
1047, 1064 (M.D. Fla. 2018) (quoting
IPC Sys., Inc. v. Garrigan
, No. 1:11-cv-3910-AT,
L. Count XII, Computer Fraud and Abuse Act The Computer Fraud and Abuse Act ("CFAA") applies to one who "intentionally accesses a computer without authorization or exceeds access, and thereby obtains . . . information from a protected computer." 18 U.S.C. § 1030(a)(2)(C). The statute defines the term "exceeds authorized access" to mean "to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter." § 1030(e)(6). A "protected computer" is one "used in interstate or foreign commerce or communication." Id. § 1030(e)(2)(B). In Count XII, Plaintiff alleges Upperline "exceeded, and continues to exceed, authorized access to [her] . . . protected computer[] and obtained information thereby" and she suffered a loss "during any 1-year period" of "at least $5,000 in value" under id. § 1030(c)(4)(A)(i)(I). (SAC ¶¶ 342–43).
According to Upperline, Plaintiff has not sufficiently alleged that (1) it exceeded "authorized access" to her computer and that (2) she suffered any damage or loss. Plaintiff says her allegations are sufficient because she has alleged that Upperline "surreptitiously implemented pixel trackers on its website to disclose Plaintiff's Private Information to third parties" and has sufficiently alleged she suffered a loss. (Pl.'s Resp. at 30).
In
Van Buren v. United States
, the Supreme Court held that "an individual 'exceeds
authorized access' when he accesses a computer with authorization but then obtains
information located in particular areas of the computer—such as files, folders, or
databases—that are off limits to him."
Turning to Upperline's second argument, the CFAA defines "damage" as "any
impairment to the integrity or availability of data, a program, a system, or information."
18 U.S.C. § 1030(e)(8). Similarly, "loss" is defined as "any reasonable cost to any
victim, including the cost of responding to an offense, conducting a damage assessment,
and restoring the data, program, system, or information to its condition prior to the
offense, and any revenue lost, cost incurred, or other consequential damages incurred
because of interruption of service[.]"
Id
. at § 1030(e)(11). As the Supreme Court in
Van
Buren
noted, "[t]he statutory definitions of 'damage' and 'loss' thus focus on technological
harms—such as the corruption of files—of the type unauthorized users cause to computer
systems and data. Limiting 'damage' and 'loss' in this way makes sense in a scheme
'aimed at preventing the typical consequences of hacking.'"
In her Response, Plaintiff argues she suffered "losses which aggregate to at least $5,000 in value, including monetary damages, loss of privacy, unauthorized disclosure of Private Information, decreased value of Private Information, lost benefit of the bargain, and increased risk of future harm resulting from further unauthorized disclosure of her information." (Pl.'s Resp. at 31 (citing SAC ¶¶ 206, 260, 343). But these damages are the damages she seeks for negligence (SAC ¶ 206) and breach of contract ( id. ¶ 260). For her CFAA claim, she alleges a loss of at least $5,000 "because of the secret transmission of [her] Private Information . . . which w[as] never intended for public consumption." ( ¶ 343). Whether the court considers her version of the loss actually suffered or limits the loss claimed in this CFAA count, the result is the same: Plaintiff has not alleged any harm or damage to her computer as a result of Upperline's tracking technology. Therefore, Plaintiff has not stated a plausible claim for a violation of CFAA and Upperline's motion to dismiss this claim is GRANTED .
IV. Conclusion
For the reasons set forth above, the court GRANTS in part and DENIES in part Defendant's Motion to Dismiss (Filing No. 90). The motion is GRANTED with respect to Counts I-VIII and X-XII and DENIED with respect to Count IX, Plaintiff's claim under § 2511 of the ECPA.
IT IS SO ORDERED this 8th day of August 2025.
s/RLY Distributed Electronically to Registered Counsel of Record.
Notes
[1] Upperline removed its Indiana-focused website sometime after April 23, 2023. (SAC ¶ 10 n.15). The URL, hppt://upperlinehealthindiana.com now redirects to http://www.upperlinehealth.com.
[2] Pursuant to the Health Insurance Portability and Accountability Act, 42 U.S.C. § 1320d et seq ., and its implementing regulations ("HIPAA"), "protected health information," or "PHI," is defined as "individually identifiable" information that is "created or received by a health care provider" and that "[r]elates to the past, present, or future physical or mental health or condition of an individual" or the "provision of health care to an individual." 45 C.F.R. § 160.103
[3] The Federal Trade Commission defines "identifying information" as "any name or number that may be used, alone or in conjunction with any other information, to identify a specific person," including, among other things, "[n]ame, Social Security number, date of birth, official State or government issued driver’s license or identification number, alien registration number, government passport number, employer or taxpayer identification number." 17 C.F.R. § 248.201(b)(8).
[4]
McLaughlin
and
Johnson
relied on Indiana's Model Jury Instruction 703(3) for the proposition
that Indiana law allows for damages regarding the value of lost time.
McLaughlin
, 2024 WL
4274848, at *3;
Johnson
,
[5] The "increased risk of harm" language comes from the Seventh Circuit's standing analysis in
Lewert v. P.F. Chang's China Bistro, Inc.
,
[6] Section 5 of the FTCA prohibits "unfair . . . acts or practices in or affecting commerce." 15 U.S.C. § 45. "Unfair or deceptive acts" are further defined as those that: "(i) cause or are likely to cause reasonably foreseeable injury within the United States; or (ii) involve material conduct occurring within the United States." § 45(4)(A)(i–ii).
[7] The court takes no position on whether the FTCA lay out the "objective standards" which, if violated, could supply the standard for a negligence per se claim to proceed under Indiana law.
[8] Plaintiff cites paragraphs 161, 193 and 199 of her SAC as support, but those paragraphs say nothing about damages.
[9] The SCA was enacted in 1986 as part of the ECPA.
IPC Sys., Inc. v. Garrigan
, No. 1:11-cv-
3910-AT,